Configuring TLS for the management API

By default, TLS is disabled for the management API and you access the Edge management API over
HTTP by using the IP address of the Management Server node and port 8080. For example:

http://ms_IP:8080

Alternatively, you can configure TLS access to the management API so that you can access it in
the form:

https://ms_IP:8443

In this example, you configure TLS access to use port 8443. However, that port number is not
required by Edge - you can configure the Management Server to use other port values. The only
requirement is that your firewall allows traffic over the specified port.

To ensure traffic encryption to and from your management API, configure the settings in the
/opt/apigee/customer/application/management-server.properties
file.

In addition to TLS configuration, you can also control password validation (password length
and strength) by modifying the management-server.properties file.

Ensure that your TLS port is open

The procedure in this section configures TLS to use port 8443 on the Management Server.
Regardless of the port that you use, you must ensure that the port is open on the Management
Server. For example, you can use the following command to open it:

Note: This example uses port 8443 for the TLS port, and not the more common port 443.
The reason is that ports below 1024 are typically protected by the operating system and require
the process that accesses them to have root access. The Edge Management Server runs as the
"apigee" user and therefore typically does not have access to ports below 1024.

One alternative it to use a load balancer with the Edge API and terminate TLS on the load
balancer on port 443. You can then use either HTTP or HTTPS between the load balancer and the
Edge API.

Another alternative is to use iptables to forward requests to port 443 to
port 8443. For example:

Edit /opt/apigee/customer/application/management-server.properties
to set the following properties. If that file does not exist, create it:conf_webserver_ssl.enabled=true
# Leave conf_webserver_http.turn.off set to false
# because many Edge internal calls use HTTP.
conf_webserver_http.turn.off=false
conf_webserver_ssl.port=8443
conf_webserver_keystore.path=/opt/apigee/customer/application/keystore.jks
# Enter the obfuscated keystore password below.
conf_webserver_keystore.password=OBF:obfuscatedPassword
conf_webserver_cert.alias=apigee-devtest

where keyStore.jks is your keystore file, and
obfuscatedPassword is your obfuscated keystore password. See Configuring TLS/SSL for Edge On Premises for
information on generating an obfuscated password.

Restart the Edge Management Server by using the command:$
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart

The management API now supports access over TLS.

After ensuring that TLS is working correctly, including ensuring that it is working for the
Edge UI, you can disable HTTP access to the management API as described in the next
section.

Configure the Edge UI to use TLS to access
the Edge API

In the procedure above, Apigee recommended leaving conf_webserver_http.turn.off=false so that
the Edge UI can continue to make Edge API calls over HTTP.

Warning: Apigee recommends that you disable HTTP access in
production environments.

Use the following procedure to configure the Edge UI to make these calls over HTTPS only:

Configure TLS access to the management API as described above.

After confirming that TLS is working for the management API, edit /opt/apigee/customer/application/management-server.properties to
set the following property:conf_webserver_http.turn.off=true

Restart the Edge Management Server by using the command:$
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart

Edit /opt/apigee/customer/application/ui.properties
to set the following property for the Edge UI. If that file does not exist, create it:conf_apigee_apigee.mgmt.baseurl="https://FQDN:8443/v1"

where FQDN is the full domain name, as per your certificate
address of the Management Server, and the port number is the port specified above by
conf_webserver_ssl.port.

Only if you used a self-signed cert (not recommended in a production
environment) when configuring TLS access to the management API above, add the
following property to ui.properties:conf/application.conf+play.ws.ssl.loose.acceptAnyCertificate=true

Otherwise, the Edge UI will reject a self-signed cert.

Restart the Edge UI by using the command:$
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart

TLS properties for the Management Server

The following table lists all of the TLS/SSL properties that you can set in management-server.properties:

Properties

Description

conf_webserver_http.port=8080

Default is 8080.

conf_webserver_ssl.enabled=false

To enable/disable TLS/SSL. With TLS/SSL enabled (true), you must also set the ssl.port
and keystore.path properties.

conf_webserver_http.turn.off=true

To enable/disable http along with https. If you want to use only HTTPS, leave the
default value to true.

conf_webserver_ssl.port=8443

The TLS/SSL port.

Required when TLS/SSL is enabled (conf_webserver_ssl.enabled=true).

conf_webserver_keystore.path=<path>

The path to your keystore file.

Required when TLS/SSL is enabled (conf_webserver_ssl.enabled=true).

conf_webserver_keystore.password=

Use an obfuscated password in this format: OBF:xxxxxxxxxx

conf_webserver_cert.alias=

Optional keystore certificate alias

conf_webserver_keymanager.password=

If your key manager has a password, enter an obfuscated version of the password in
this format: OBF:xxxxxxxxxx

conf_webserver_trust.all=
<false | true>

conf_webserver_trust.store.path=<path>

conf_webserver_trust.store.password=

Configure settings for your trust store. Determine whether you want to accept all
TLS/SSL certificates (for example, to accept non-standard types). The default is
false. Provide the path
to your trust store, and enter an obfuscated trust store password in this format:
OBF:xxxxxxxxxx

conf_webserver_exclude.cipher.suites=<CIPHER_SUITE_1
CIPHER_SUITE_2>

conf_webserver_include.cipher.suites=

Indicate any cipher suites you want to include or exclude. For example, if you
discover vulnerability in a cipher, you can exclude it here. Separate multiple ciphers
with a space.